High-tech toys are a real threat

Companies could be wasting money on IT security systems - because they are ignoring the threat posed by new removable media devices.

The warning follows a new survey from mobile security specialists Pointsec.

It shows that removable media devices such as media players and USB flash drives are now routinely used by a huge number of employees in the vast majority of UK businesses, but with little regard to the security threat they pose.

The firm says preventing people bringing removable media devices into the office is an extremely difficult problem.

However, although they are fun and convenient they are very easy to lose or abuse.

If companies are to prevent breaking new legislation such as Sarbanes Oxley, Basel 2, The Data Protection Act, as well as not falling victim to the havoc these tiny portable devices can cause, companies need to rapidly get to grips with the risks associated with removable media and protect themselves against these risks.

Pointsec says that a staggering two-thirds of IT professionals who use USB flash drives themselves at work admitted that they did not protect them with encryption even though they are aware of the associated dangers.

The firm believes the survey highlights that a large number of organisations are yet to address the problem of removable media.

With removable media plummeting in price, memory capacity soaring and more people using them at work, companies need to be aware of how easy it is for staff to use them, lose them or take competitive information away on them, all in the palm of their hands.

If lost or stolen, vast amounts of valuable company information could seriously expose a company to extortion, digital identity fraud, or damage to their reputation, integrity and brand.

Results of the survey show:

* Removable media devices are being used in 84 per cent of companies.

* On average 31 per cent of employees within a company are utilising them in the office.

* Ninety per cent of those surveyed were aware of the potential danger that removable media presents.

* A third of organisations state that removable media is being used within their company without authorization.

* Forty one per cent of IT professionals are not aware how easy it is to protect the data on a removable media device.

Martin Allen, managing director of Pointsec UK, said: "There seems little point in companies spending vast sums of money on information security if at the same time they're letting their staff use these devices at work which allow them unhindered access to download vast quantities of sensitive company information."

He added: "Organisations need to introduce strict guidelines on the use of removable media devices in the workplace, as well as investing in encryption software which will allow administrators to force the encryption of all data put onto a mobile device.

"Using this type of software is just as vital and inexpensive as using anti-virus software, yet only a fraction of organisations have woken up to the problem."

The proliferation of high capacity media players and USB flash drives on the market makes it possible to save anything up to 100 GB's of information on one.

This means an employee could download four million documents of valuable data on what appears at first sight to be just an entertainment tool.

USB pen drives and USB memory sticks can now store four GB's of memory, which equates to around 160,000 documents.

In addition, employees could unintentionally expose their organisation to infection from viruses or worms when these devices are used to transfer data from noncompany controlled computers to the user's computer at work.

Pointsec has issued a seven point guideline to help firms combat the problem. It recommends:

* Deploy user mobile guidelines or ensure that your corporate IT security policy includes corporate directives that states the importance of proper handling of mobile devices such as removable media.

* Ensure that all members of staff are aware of that their employment does not allow non-company devices to be used within the company network.

* Use encryption software such as Pointsec Media Encryption, which enables centralised policy enforcement of strong encryption of all data stored at mobile devices and removable media.

* Use policies to control the amount of login attempts that people may use to try and get at information they shouldn't.

* Have methods in place which enables encrypted data to be decrypted in a controlled way outside the corporate network.

* The encryption process should be transparent and quick to the user, so that it does not interfere with their work or put any extra requirements on the user.

* Have methods - independent of the end user - which enable decryption of all encrypted data within the company network.